OnLine Digital Forensic Suite (OnLineDFS) is next-generation software that allows real-time investigation of live computers on networks. It collects volatile operating system and application data that would otherwise be lost when a computer is powered down. OnLineDFS can be deployed with no need for pre-installed agents on target systems. It allows investigators to remotely acquire memory, process listings, network connections and other runtime artifacts from anywhere over the network. The demonstration showed using OnLineDFS to investigate unusual network traffic on a host, acquiring files and memory to search for keylogging malware.

1. Cyber Security Technologies
Presentation of the
OnLine Digital Forensic Suite™
Next-generation software for investigations
of live computers in networks . . .
OnLineDFS Introduction - Proprietary & Confidential - Page 1

2. Focus
OnLine Digital Forensic Suite™ is
a software product
for the real-time investigation
of live, running systems in networks
Product Heritage
 Core technology developed with SBIR
funding from the US Air Force
 Productized for commercial market
 Patent pending
OnLineDFS Introduction - Proprietary & Confidential - Page 2

3. Intended Uses
Target Markets Target Applications
 Fortune 5000  Incident Response
Corporations  Insider Threat
 Government Agencies  External Threat
 Integrators  Compliance
 Service Providers  Information Assurance
 Law Enforcement  E-Discovery
 Criminal Investigations
OnLineDFS Introduction - Proprietary & Confidential - Page 3

4. OnLineDFS™ Deployment
Corporate System Under Investigation
Multi-User Version Depicted Headquarters
Servers
Investigator
(Browser interface)
Corporate Manufacturing Locations
NOC (or other secure location) Network
OnLineDFS Application
Any Location: & Data Store
• Corporate
• Field Location
• Law Enforcement
• Service Provider
• Home Office, Hotel, etc.
Note: Browser interface and System Under Investigation
OnLineDFS™ application can Regional
co-reside Offices
wired/wireless/mobile
System Under Investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 4

5. OnLineDFS Today
 Volatile State Data  Memory  Persistent data
 29 sources of  Acquisition  Files, folders,
running state data directories,
 Examination
captured from metadata, etc.
Windows targets,  Search
 Unallocated and
similar with Unix  Registry
and Linux targets slack space
 Walk
 Acquisition  Capture, search
 Acquisition
 Examination  Image disk
 Search
Most volatile Persistent
Summary of OnLineDFS Functionality
OnLineDFS Introduction - Proprietary & Confidential - Page 5

6. Key Attributes
 Built for the examination of running systems
 Collects information that is lost when computer is shut down
 Strong emphasis on volatile data and live examination of persistent data for
rapid mitigation of risk
 “Plug-and-play” deployment
 OnLineDFS installed on network or subnet – no physical contact with target
system required
 No pre-installed agents
 Straightforward, simple architecture
 Simple set-up and operation
 Technology can be readily integrated with other technologies
 Investigate from anywhere, to anywhere
 Investigator can work where the application is, or remotely from anywhere
with Internet connectivity
 Investigations performed though secure network connection
 Wired/wireless/mobile targets OK
 Discreet, non-disruptive:
 Computer being analyzed is left in place
 No end-user involvement needed
 Investigative activity very difficult to detect
 Stable, solid product
 Release 3.6
 Designed to adhere to forensic best practices
4
OnLineDFS Introduction - Proprietary & Confidential - Page 6

7. OnLineDFS Advantages
 Designed for use in an enterprise environment
 Built for on-line, real-time, networked world
 Drill down live to hosts with issues of investigative interest
 Proactive tool to address issues as they are happening
 No pre-installed agents
 Plug-and-play product based on simple architecture,
very easy to deploy, maintain and use
 Discreet, unobtrusive, does not disrupt operations
 Flexible analytical approach fits real world
 Go where the data takes you, acquire what you need
 Enhances investigation productivity and timeliness
 Leverages investment in third-party tools
 Adheres to forensic best practices
OnLineDFS Introduction - Proprietary & Confidential - Page 7

8. OnLineDFS Delivers
Law Enforcement An effective tool for investigations
in an enterprise environment
Enterprises A cost-effective tool to mitigate
risk, conduct investigations
effectively
Service Providers A tool to deliver outstanding
customer timeliness and value
OnLineDFS Introduction - Proprietary & Confidential - Page 8

9. Volatile Data Acquisition
OnLineDFS Introduction - Proprietary & Confidential - Page 9

10. Memory and Registry
OnLineDFS Introduction - Proprietary & Confidential - Page 10

11. Persistent Data
OnLineDFS Introduction - Proprietary & Confidential - Page 11

12. Data Analysis
OnLineDFS Introduction - Proprietary & Confidential - Page 12

13. Primary Data and Search
OnLineDFS Introduction - Proprietary & Confidential - Page 13

14. Demonstration Scenario
 Network security has observed unusual traffic
on port 730 of host 192.168.171.202
 You are authorized to investigate this host and
have the and administrative account and
password necessary to perform the
investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 14

15. Start the Investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 15

16. Perform the Initial Acquire
OnLineDFS Introduction - Proprietary & Confidential - Page 16

17. Initial Acquire Completed
OnLineDFS Introduction - Proprietary & Confidential - Page 17

18. Let’s look at the Volatile Data
OnLineDFS Introduction - Proprietary & Confidential - Page 18

19. Look at Port 730 details
OnLineDFS Introduction - Proprietary & Confidential - Page 19

20. Let’s look at WINWORD
OnLineDFS Introduction - Proprietary & Confidential - Page 20

21. Dig Deeper
OnLineDFS Introduction - Proprietary & Confidential - Page 21

22. And Deeper
OnLineDFS Introduction - Proprietary & Confidential - Page 22

23. Acquire the WINWORD.exe
OnLineDFS Introduction - Proprietary & Confidential - Page 23

24. Acquire the WINWORD.exe
OnLineDFS Introduction - Proprietary & Confidential - Page 24

25. Acquire the WINWORD.exe
OnLineDFS Introduction - Proprietary & Confidential - Page 25

26. Acquire Completed
OnLineDFS Introduction - Proprietary & Confidential - Page 26

27. Let’s search within the acquired file
OnLineDFS Introduction - Proprietary & Confidential - Page 27

28. Search Completed with 5 matches
OnLineDFS Introduction - Proprietary & Confidential - Page 28

29. Let’s acquire memory
OnLineDFS Introduction - Proprietary & Confidential - Page 29

30. Background Task
OnLineDFS Introduction - Proprietary & Confidential - Page 30

31. Memory Acquire Completed
OnLineDFS Introduction - Proprietary & Confidential - Page 31

32. View Memory
OnLineDFS Introduction - Proprietary & Confidential - Page 32

33. Search for “Keylogger”
OnLineDFS Introduction - Proprietary & Confidential - Page 33

34. Search Results-Six Matches
OnLineDFS Introduction - Proprietary & Confidential - Page 34

35. Looks like a credit card entry
OnLineDFS Introduction - Proprietary & Confidential - Page 35

36. Let’s find the suspect
OnLineDFS Introduction - Proprietary & Confidential - Page 36

37. Start a new inquiry
OnLineDFS Introduction - Proprietary & Confidential - Page 37

38. Look at Port 1142
OnLineDFS Introduction - Proprietary & Confidential - Page 38

39. Have a look at Telnet
OnLineDFS Introduction - Proprietary & Confidential - Page 39

40. Search for credit card format
OnLineDFS Introduction - Proprietary & Confidential - Page 40

41. Let’s find Amazon
OnLineDFS Introduction - Proprietary & Confidential - Page 41

42. Same data- he is the bad guy
OnLineDFS Introduction - Proprietary & Confidential - Page 42

43. Comprehensive Documentation
OnLineDFS Introduction - Proprietary & Confidential - Page 43

44. Let’s Review the Investigation
 Acquired volatile data from host A
 Looked at port 730 details and found
WINWORD.exe
 Acquired the WINWORD.exe file
 Determined that it is a keylogger
 Acquired memory and found the keylogger
program and credit card data
 Referred back to the port 730 details and
identified the IP address and port of the host
connected to host A
OnLineDFS Introduction - Proprietary & Confidential - Page 44

45. Let’s Review the Investigation
 With this information, initiated a second
investigation on host B
 From the volatile data acquired, we identified
telnet as the process associated with port 1142
 Acquired memory and found the exact same
credit card data as was found in the memory of
host A
 Automatically generated detailed and
thorough documentation of the entire
investigation
OnLineDFS Introduction - Proprietary & Confidential - Page 45

46. Cyber Security Technologies
Questions?
OnLineDFS Introduction - Proprietary & Confidential - Page 46